Azure vpn basic tier. Forced tunneling

MagnusWestMadsen 25 Reputation points
2023-08-04T12:41:43.6733333+00:00

Hello.

Is it at all possible to setup forced tunneling for a P2S on a Basic tier vpn gateway.

We have an Azure environment that we need to route our traffic through when using out point to site.

Azure VPN Gateway
Azure VPN Gateway
An Azure service that enables the connection of on-premises networks to Azure through site-to-site virtual private networks.
1,798 questions
{count} votes

Accepted answer
  1. GitaraniSharma-MSFT 50,096 Reputation points Microsoft Employee Moderator
    2023-08-04T14:18:20.4766667+00:00

    Hello @Anonymous ,

    Welcome to Microsoft Q&A Platform. Thank you for reaching out & hope you are doing well.

    I understand that you would like to know if it is possible to setup forced tunneling for a point to site VPN on a Basic SKU VPN gateway.

    Forced tunneling is supported on P2S VPN via custom routes and that forces all traffic from the client to Azure. You can direct all traffic to the VPN tunnel by advertising 0.0.0.0/1 and 128.0.0.0/1 as custom routes to the clients. Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling

    Basic SKU Route based VPN gateway supports P2S connection only via Azure Certification authentication method and you may be able to add advertise 0.0.0.0/1 and 128.0.0.0/1 as custom routes to the clients.

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-skus-legacy#config

    But please note that:

    Internet connectivity is not provided through the VPN gateway. As a result, all traffic bound for the Internet is dropped.

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes#forced-tunneling

    So, your local/remote machine will not be able to access Internet once you configure this forced tunneling on P2S.

    Hence, you need to introduce another resource such as Azure Firewall or a NVA (Network Virtual Appliance) which can take care of the Internet connectivity.

    But there is another limitation on the traditional VPN gateway (when I say traditional VPN gateway, I mean a VPN gateway without vWAN solution, which is deployed directly into a Vnet) as below:

    Traditional VPN gateways do not have the EnableInternetSecurity flag option. This flag is needed and must be set to true for your clients to be properly configured for forced-tunneling/accessing Internet via the VPN gateway.

    Refer: https://learn.microsoft.com/en-us/powershell/module/az.network/set-azvirtualnetworkgateway?view=azps-10.1.0

    However, the P2S VPN gateway under Virtual Hub has this option.

    Refer: https://learn.microsoft.com/en-us/powershell/module/az.network/update-azp2svpngateway?view=azps-10.1.0

    So, in order to reach the Internet via Azure P2S VPN gateway, you need to deploy a secured virtual hub with Azure firewall manager and add the P2S VPN Gateway to allow your egress traffic that will be controlled by a firewall policy.

    Refer: https://learn.microsoft.com/en-us/azure/firewall-manager/secure-cloud-network

    When you secure internet traffic via Azure Firewall (Firewall Manager), you can advertise the 0.0.0.0/0 route or any custom route to your VPN clients. This makes your clients send the internet bound traffic to Azure for inspection. Then, firewall SNATs the packet to the PIP of Azure Firewall for egress to Internet.

    To do this, you need to setup an Azure Firewall & then configure a Policy to allow P2S traffic to Internet.

    You can also use a NVA instead of Azure Firewall as per your requirement.

    To advertise custom route to your VPN clients, refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-p2s-advertise-custom-routes

    You can also add the route directly in your downloaded azurevpnconfig.xml file as below:

    <clientconfig>
     <includeroutes>
         <route>
             <destination>1.2.3.4</destination><mask>32</mask>
         </route>
     </includeroutes>
    </clientconfig>
    

    Refer: https://learn.microsoft.com/en-us/azure/vpn-gateway/azure-vpn-client-optional-configurations#add-custom-routes

    You can refer the below doc which explains how to configure forced tunneling for Virtual WAN Point-to-site VPN and take inputs on the configuration: https://learn.microsoft.com/en-us/azure/virtual-wan/how-to-forced-tunnel

    Another reference for you: https://learn.microsoft.com/en-us/answers/questions/589858/index.html

    Conclusion:

    If you want to configure forced tunneling via P2S which will allow you to send all traffic (including Internet-bound traffic) from remote users to Azure, then you need to do it via Virtual WAN Point to Site VPN.

    Using the traditional VPN gateway (Basic SKU or any other SKU), this is not possible.

    And Virtual WAN Point-to-site VPN gateway is differentiated using scale units and not SKU.

    Refer: https://learn.microsoft.com/en-us/azure/virtual-wan/virtual-wan-faq#for-user-vpn-point-to-site--how-many-clients-are-supported

    Kindly let us know if the above helps or you need further assistance on this issue.


    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.